Re: Remediation Plan for WoSign and StartCom

2016-10-23 Thread Samuel Pinder 
There's some good questions there, actually. OEM SSL, does that mean
another CA would be doing the validation and issuing using their own
infrastructure and team, which you would be reselling via a
constrained intermediate? I don't think it'd be a good idea at present
to be gaining effectively a new CA certificate that is cross-signed,
only to be using the existing infrastructure that is currently meant
to be undergoing remediation. That'd probably be put under the same
restrictions too if that's the case.
Samuel Pinder


On Mon, Oct 24, 2016 at 6:43 AM, Richard Wang  wrote:
> For Q1:  This is a OEM SSL from other trusted CA;
> For Q2:  We stopped the free SSL certificate after Apple announcement, it is 
> announced in our free SSL website;
> For Q3:  I am the Acting CEO now till the new CEO arrives.
>
>
> Best Regards,
>
> Richard
>
> From: Eric Mill [mailto:e...@konklone.com]
> Sent: Monday, October 24, 2016 12:05 PM
> To: Richard Wang 
> Cc: Kathleen Wilson ; 
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Remediation Plan for WoSign and StartCom
>
> Hi Richard,
>
> A few questions -
>
> 1) Your post says "There will be new SSL certificates issued by a new WoSign 
> intermediate CA which is signed by the one of global trusted root CA, it 
> supports all the browsers (including Firefox). This will be done within one 
> months."
>
> How will this WoSign intermediate CA be different from the 4 affected roots? 
> Will it use the same WoSign issuance infrastructure used by the 4 roots that 
> Mozilla has decided to distrust?
>
> 2) Your announcement to customers only discusses Mozilla's action. Are you 
> planning to inform customers of how Apple's decision to distrust WoSign's 
> roots will affect WoSign operations?
>
> 3) A previous Qihoo 360 document said that you are being removed as WoSign 
> CEO. Are you still authorized by Qihoo 360 to make announcements like this?
>
> -- Eric
>
> On Sun, Oct 23, 2016 at 10:46 PM, Richard Wang 
> > wrote:
> Hi Kathleen,
>
> WoSign released the news today since I just came back from USA CABF meeting.
>
> http://www.wosign.com/news/announcement_about_Mozilla_Action_20161024.htm (in 
> Chinese)
>
> https://www.wosign.com/english/News/announcement_about_Mozilla_Action_20161024.htm
>   (in English)
>
>
>
> Best Regards,
>
> Richard
>
> -Original Message-
> From: dev-security-policy 
> [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org]
>  On Behalf Of Kathleen Wilson
> Sent: Friday, October 21, 2016 10:43 AM
> To: 
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Remediation Plan for WoSign and StartCom
>
> On Thursday, October 20, 2016 at 6:59:08 PM UTC-7, Percy wrote:
>> Kathleen,
>> As most users affected by this decision are Chinese, will you be able to 
>> make the blog post available in Chinese on the security blog as well? You 
>> can ask the Chinese firefox community or me to translate.
>>
>> As I stated earlier, there are almost no news of the distrust of 
>> WoSign/StartCom on the Chinese Internet and WoSign/StartCom has not posted 
>> anything related to this. I believe it's paramount to prepare Chinese 
>> website owners for the phasing out of the affected roots.
>
> Noted. I will look into how to get it translated into Chinese and how to make 
> that version available as well.
>
> Thanks,
> Kathleen
>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
>
>
> --
> konklone.com | @konklone
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Remediation Plan for WoSign and StartCom

2016-10-23 Thread Richard Wang 
For Q1:  This is a OEM SSL from other trusted CA;
For Q2:  We stopped the free SSL certificate after Apple announcement, it is 
announced in our free SSL website;
For Q3:  I am the Acting CEO now till the new CEO arrives.


Best Regards,

Richard

From: Eric Mill [mailto:e...@konklone.com]
Sent: Monday, October 24, 2016 12:05 PM
To: Richard Wang 
Cc: Kathleen Wilson ; 
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Remediation Plan for WoSign and StartCom

Hi Richard,

A few questions -

1) Your post says "There will be new SSL certificates issued by a new WoSign 
intermediate CA which is signed by the one of global trusted root CA, it 
supports all the browsers (including Firefox). This will be done within one 
months."

How will this WoSign intermediate CA be different from the 4 affected roots? 
Will it use the same WoSign issuance infrastructure used by the 4 roots that 
Mozilla has decided to distrust?

2) Your announcement to customers only discusses Mozilla's action. Are you 
planning to inform customers of how Apple's decision to distrust WoSign's roots 
will affect WoSign operations?

3) A previous Qihoo 360 document said that you are being removed as WoSign CEO. 
Are you still authorized by Qihoo 360 to make announcements like this?

-- Eric

On Sun, Oct 23, 2016 at 10:46 PM, Richard Wang 
> wrote:
Hi Kathleen,

WoSign released the news today since I just came back from USA CABF meeting.

http://www.wosign.com/news/announcement_about_Mozilla_Action_20161024.htm (in 
Chinese)

https://www.wosign.com/english/News/announcement_about_Mozilla_Action_20161024.htm
  (in English)



Best Regards,

Richard

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org]
 On Behalf Of Kathleen Wilson
Sent: Friday, October 21, 2016 10:43 AM
To: 
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Remediation Plan for WoSign and StartCom

On Thursday, October 20, 2016 at 6:59:08 PM UTC-7, Percy wrote:
> Kathleen,
> As most users affected by this decision are Chinese, will you be able to make 
> the blog post available in Chinese on the security blog as well? You can ask 
> the Chinese firefox community or me to translate.
>
> As I stated earlier, there are almost no news of the distrust of 
> WoSign/StartCom on the Chinese Internet and WoSign/StartCom has not posted 
> anything related to this. I believe it's paramount to prepare Chinese website 
> owners for the phasing out of the affected roots.

Noted. I will look into how to get it translated into Chinese and how to make 
that version available as well.

Thanks,
Kathleen

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy



--
konklone.com | @konklone
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remediation Plan for WoSign and StartCom

2016-10-23 Thread Eric Mill 
Hi Richard,

A few questions -

1) Your post says "There will be new SSL certificates issued by a new
WoSign intermediate CA which is signed by the one of global trusted root
CA, it supports all the browsers (including Firefox). This will be done
within one months."

How will this WoSign intermediate CA be different from the 4 affected
roots? Will it use the same WoSign issuance infrastructure used by the 4
roots that Mozilla has decided to distrust?

2) Your announcement to customers only discusses Mozilla's action. Are you
planning to inform customers of how Apple's decision to distrust WoSign's
roots will affect WoSign operations?

3) A previous Qihoo 360 document said that you are being removed as WoSign
CEO. Are you still authorized by Qihoo 360 to make announcements like this?

-- Eric

On Sun, Oct 23, 2016 at 10:46 PM, Richard Wang  wrote:

> Hi Kathleen,
>
> WoSign released the news today since I just came back from USA CABF
> meeting.
>
> http://www.wosign.com/news/announcement_about_Mozilla_Action_20161024.htm
> (in Chinese)
>
> https://www.wosign.com/english/News/announcement_
> about_Mozilla_Action_20161024.htm  (in English)
>
>
>
> Best Regards,
>
> Richard
>
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-bounces+richard=
> wosign@lists.mozilla.org] On Behalf Of Kathleen Wilson
> Sent: Friday, October 21, 2016 10:43 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Remediation Plan for WoSign and StartCom
>
> On Thursday, October 20, 2016 at 6:59:08 PM UTC-7, Percy wrote:
> > Kathleen,
> > As most users affected by this decision are Chinese, will you be able to
> make the blog post available in Chinese on the security blog as well? You
> can ask the Chinese firefox community or me to translate.
> >
> > As I stated earlier, there are almost no news of the distrust of
> WoSign/StartCom on the Chinese Internet and WoSign/StartCom has not posted
> anything related to this. I believe it's paramount to prepare Chinese
> website owners for the phasing out of the affected roots.
>
> Noted. I will look into how to get it translated into Chinese and how to
> make that version available as well.
>
> Thanks,
> Kathleen
>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>



-- 
konklone.com | @konklone 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Remediation Plan for WoSign and StartCom

2016-10-23 Thread Richard Wang 
Hi Kathleen,

WoSign released the news today since I just came back from USA CABF meeting.

http://www.wosign.com/news/announcement_about_Mozilla_Action_20161024.htm (in 
Chinese)

https://www.wosign.com/english/News/announcement_about_Mozilla_Action_20161024.htm
  (in English)



Best Regards,

Richard

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On 
Behalf Of Kathleen Wilson
Sent: Friday, October 21, 2016 10:43 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Remediation Plan for WoSign and StartCom

On Thursday, October 20, 2016 at 6:59:08 PM UTC-7, Percy wrote:
> Kathleen,
> As most users affected by this decision are Chinese, will you be able to make 
> the blog post available in Chinese on the security blog as well? You can ask 
> the Chinese firefox community or me to translate. 
> 
> As I stated earlier, there are almost no news of the distrust of 
> WoSign/StartCom on the Chinese Internet and WoSign/StartCom has not posted 
> anything related to this. I believe it's paramount to prepare Chinese website 
> owners for the phasing out of the affected roots.

Noted. I will look into how to get it translated into Chinese and how to make 
that version available as well.

Thanks,
Kathleen

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remediation Plan for WoSign and StartCom

2016-10-23 Thread Erwann Abalea 
Bonjour,

Le vendredi 21 octobre 2016 12:48:21 UTC+2, marc@gmail.com a écrit :
[...]
> Just the opinion of a user who is securing services, websites and his mails 
> with certificates but is not capable of paying hundreds of Euros / Dollars 
> for achieving this goal every year.

DV certificates can be found for much less than that. Less than 5$ for a DV 
cert, less than 35$ for an OV cert, 11$ for an S/MIME cert (which nobody uses 
so far because it's a mess, but I digress).

It's nice to be able to have free certificates, but I don't consider 5$ a year 
for a DV to be expensive.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: StartCom & Qihoo Incidents

2016-10-23 Thread nessuno . acasa 
On Sunday, October 23, 2016 at 7:56:16 AM UTC+3, Peter Bowen wrote:

> is a wholly owned subsidiary of Tianjim Qixin Tongda Technology Co.,
> Ltd. 
> https://www.chinatechnews.com/2016/04/27/23475-qihoo-360s-privatization-approved-by-ndrc

>From the provided link, I am flabbergasted by the reason to go private:

"As a publicly-listed Chinese company in the United States, Qihoo 360 has faced 
the pressures of being a public company. Transparency dogged the company, which 
also has a security software component, and ultimately the company saw the U.S. 
public markets as incompatible with how the company wanted to conduct business."

so apropos...


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy